Mailman cannot relay e-mails to non-local domains
My e-mail server runs Debian with postfix, dovecot, amavis, mailman, with postfixadmin in a virtual domain setup. All works fine, except for mailman which is not able to relay e-mails to non-local domains ("relay access denied"), while I can relay e-mails to any recipient with postfix authenticated smtp.
Here follows my setup.
postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
bounce_template_file = /etc/postfix/bounce.cf
broken_sasl_auth_clients = no
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 0
message_size_limit = 0
mydestination = $myhostname, localhost.my-domain.it, localhost
mydomain = my-domain.it
myhostname = postino.my-domain.it
mynetworks = 127.0.0.0/8, x.x.x.x/32
myorigin = /etc/mailname
owner_request_special = no
propagate_unmatched_extensions = canonical
readme_directory = no
receive_override_options = no_address_mappings
recipient_delimiter = _
relay_domains = lists.my-domain.it
relayhost =
show_user_unknown_table_name = no
smtp_tls_note_starttls_offer = yes
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_error_sleep_time = 10
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_hard_error_limit = 5
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,check_helo_access hash:/etc/postfix/access,reject_invalid_helo_hostname
smtpd_junk_command_limit = 3
smtpd_recipient_restrictions = reject_invalid_hostname,reject_non_fqdn_hostname,reject_non_fqdn_recipient,reject_non_fqdn_sender,reject_unauth_destination,reject_unauth_pipelining,reject_unknown_recipient_domain,reject_unknown_sender_domain,check_policy_service unix:private/policyd-spf,check_policy_service inet:127.0.0.1:10023,reject_rbl_client cbl.abuseat.org,reject_rbl_client dnsbl.njabl.org,permit_auth_destination,reject
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/access,reject_unknown_sender_domain,reject_non_fqdn_sender
smtpd_soft_error_limit = 2
smtpd_tls_always_issue_session_ids = no
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem
smtpd_tls_key_file = /etc/ssl/private/postfix.pem
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_transport = dovecot
virtual_uid_maps = static:5000
master.cf
smtp inet n - - - - smtpd
submission inet n - - - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlistsd_sender=yes
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o content_filter=smtp-amavis:[127.0.0.1]:10026
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
-o smtp_fallback_relay=
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ${recipient}
smtp-amavis unix - - n - 20 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
127.0.0.1:10025 inet n - - - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
-o local_header_rewrite_clients=
policyd-spf unix - n n - 0 spawn
user=nobody argv=/usr/bin/python /usr/bin/policyd-spf /etc/postfix-policyd-spf-python/policyd-spf.conf
/etc/postfix/transport
lists.my-domain.it mailman:
The error in the logs:
May 11 09:06:42 gabble postfix/smtpd[8390]: NOQUEUE: reject: RCPT from www.my-domain.it[127.0.0.1]: 554 5.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<gabble.my-domain.it>
Thanks in advance for any help you will offer.
Solution 1:
The relay_domains parameter determines which domains Postfix relays to -- that is, the domains that your email server will accept mail for in addition to its mailname -- so this line isn't going to help you here (I assume this is what you are trying to achieve with it, anyway).
You are restricting the MAIL FROM address to those listed in /etc/postfix/access -- make sure that includes lists.my-domain.it.
You have reject_unauth_destination fairly early in your smtpd_recipient_restrictions line, and according to postconf(5), that rejects unless either
- the resolved RCPT TO domain matches $relay_domains or a subdomain thereof, or
- Postfix is the final destination: the resolved RCPT TO domain matches $mydestination, $inet_interfaces, $proxy_interfaces, $virtual_alias_domains, or $virtual_mailbox_domains
If you want this box to be able to send out any mail that it generates, you need to add permit_mynetworks before reject_unauth_destination, so that mail coming from your networks is approved regardless of where it is going.